Cannot POST text with "select " and " into "

Help!
1

Hello,
we cannot submit any text which contains "select " followed later by " into ". (Spaces are important). Presumably, it’s a rule somewhere to block SQL injection attacks. In this case, we want to submit this sentence: “I work with select partners and country representatives to create annual humanitarian response plans that compliment Muslim Aids strategic goals, but also take into consideration country-specific contexts and growth of partners.”

The simplest curl examples of working and failing requests:

Working OK - returns HTTP 302 redirect:

LAPTOP:~$ curl -i 'https://example.com/app/survey/response.jsp' -H 'Content-Type: application/x-www-form-urlencoded' --data-raw 'foo=I work with selectXXXXX partners and country representatives to create annual humanitarian response plans that compliment Muslim Aids strategic goals, but also take into consideration country specific contexts and growth of partners.'
HTTP/1.1 302
Set-Cookie: _TC_AUTHCOOKIE_JSESSIONID=7fca47c3-61a5-4555-85eb-9231a6af28a6; Path=/app/; Secure; HttpOnly; Secure
Set-Cookie: JSESSIONID=s6~E96F17364E9DC315FCF570AA04F06EB0; Path=/app/; HttpOnly; Secure
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
Expires: Sat, 1 Jan 2000 12:00:00 GMT
P3P: CP='NON CUR OUR'
Location: /app/survey/nocookie.jsp
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Fri, 18 Mar 2022 12:57:45 GMT

FAILS - returns HTTP 504 Bad Gateway:

LAPTOP:~$ curl -i 'https://example.com/app/survey/response.jsp' -H 'Content-Type: application/x-www-form-urlencoded' --data-raw 'foo=I work with select partners and country representatives to create annual humanitarian response plans that compliment Muslim Aids strategic goals, but also take into consideration country specific contexts and growth of partners.'
HTTP/1.0 504 Gateway Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>504 Gateway Time-out</h1>
The server didn't respond in time.
</body></html>

There are no SQL injection rules in haproxy.cfg

    log         127.0.0.1 local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
    stats socket /var/lib/haproxy/stats
    tune.ssl.default-dh-param 2048
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DES-CBC3-SHA

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option                  http-server-close
    option  forwardfor      except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

listen stats
    bind 10.99.99.19:8088
    mode http
    stats enable
    stats refresh 5s
    balance
    timeout client 5000
    timeout connect 4000
    timeout server 30000

frontend http-example_prd
    mode http
    reqadd X-Forwarded-Proto:\ http
    bind *:80
    acl host_strict hdr(host) -i attract.example.com
    acl host_strict hdr(host) -i api.example.com
    redirect scheme https if !{ ssl_fc } host_strict
    use_backend honeypots_http if { src -f /etc/haproxy/blacklist.acl }
    default_backend example_prd_appserver_cluster_http_only

frontend https-example_prd
    mode http
    option tcplog
    reqadd X-Forwarded-Proto:\ https
    rspirep ^(set-cookie:.*) \1;\ Secure
    bind *:443 ssl crt /etc/ssl/certs/star_example_com.pem crt /etc/ssl/certs/starr_surveys_com.pem no-sslv3 no-tlsv10 no-tlsv11
    acl host_attract hdr(host) -i attract.example.com
    acl host_api hdr(host) -i api.example.com
    use_backend honeypots_https if { src -f /etc/haproxy/blacklist.acl }
    use_backend example_prd_appserver_cluster if host_attract
    use_backend example_prd_appserver_cluster if host_api
    default_backend example_prd_appserver_cluster_otherd

backend example_prd_appserver_cluster
    mode http
    balance  roundrobin
    option forwardfor
    cookie SERVERID insert indirect nocache
    option httpchk HEAD /v1/heartbeat HTTP/1.1\r\nHost:\ example.com
    http-check expect status 200
    server appserver1 10.11.11.14:80 check cookie s1 fall 1 rise 1 inter 10s
    server appserver2 10.11.11.15:80 check cookie s2 fall 1 rise 1 inter 10s
    server appserver3 10.11.11.16:80 check cookie s3 fall 1 rise 1 inter 10s

backend example_prd_appserver_cluster_otherd
    mode http
    balance  roundrobin
    option   forwardfor
    cookie   JSESSIONID prefix nocache
    option   httpchk HEAD /appserver/watchdog.html HTTP/1.1\r\nHost:\ example.com
    http-check expect status 200
    server appserver4 10.12.12.21:9443 check cookie s4 fall 1 rise 1 inter 10s
    server appserver5 10.12.12.22:9443 check cookie s5 fall 1 rise 1 inter 10s
    server appserver6 10.12.12.23:9443 check cookie s6 fall 1 rise 1 inter 10s

backend example_prd_appserver_cluster_http_only
    mode http
    balance roundrobin
    option  forwardfor
    cookie  JSESSIONID prefix nocache
    option  httpchk HEAD /appserver/watchdog.html HTTP/1.1\r\nHost:\ example.com
    http-check expect status 200
    server appserver4 10.12.12.21:8080 check cookie s7 fall 1 rise 1 inter 10s
    server appserver5 10.12.12.22:8080 check cookie s8 fall 1 rise 1 inter 10s
    server appserver6 10.12.12.23:8080 check cookie s9 fall 1 rise 1 inter 10s

backend honeypots_https
    mode http
    balance  roundrobin
    option   forwardfor
    cookie   JSESSIONID prefix nocache
    http-check expect status 200
    server appserver7 10.13.13.39:443 check cookie s10 fall 1 rise 1 inter 10s ssl verify none
    server appserver8 10.13.13.31:443 check cookie s11 fall 1 rise 1 inter 10s ssl verify none

backend honeypots_http
    mode http
    balance  roundrobin
    option forwardfor
    cookie SERVERID insert indirect nocache
    http-check expect status 200
    server appserver7 10.13.13.39:80 check cookie s12 fall 1 rise 1 inter 10s
    server appserver8 10.13.13.31:80 check cookie s13 fall 1 rise 1 inter 10s

Please help or suggest what can be a problem in this case.
Thank you.

2

This has nothing to do with haproxy. The server timeouts strike, which is why haproxy responds with 504 Gateway Time-out [...] The server didn't respond in time

Check what your backend server is doing.